diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst
index c821cd76f255e1a731cd6e43134605766bb39af1..88511197a84365a178af0087aaaea1ee66df23c3 100644
--- a/man/gnt-cluster.rst
+++ b/man/gnt-cluster.rst
@@ -520,6 +520,8 @@ RENEW-CRYPTO
 | **renew-crypto** [-f]
 | [--new-cluster-certificate] [--new-confd-hmac-key]
 | [--new-rapi-certificate] [--rapi-certificate *rapi-cert*]
+| [--new-spice-certificate | --spice-certificate *spice-cert*
+| -- spice-ca-certificate *spice-ca-cert*]
 | [--new-cluster-domain-secret] [--cluster-domain-secret *filename*]
 
 This command will stop all Ganeti daemons in the cluster and start
@@ -533,6 +535,12 @@ ganeti-rapi(8)) specify ``--new-rapi-certificate``. If you want to
 use your own certificate, e.g. one signed by a certificate
 authority (CA), pass its filename to ``--rapi-certificate``.
 
+To generate a new self-signed SPICE certificate, used by SPICE
+connections to the KVM hypervisor, specify the
+``--new-spice-certificate`` option. If you want to provide a
+certificate, pass its filename to ``--spice-certificate`` and pass the
+signing CA certificate to ``--spice-ca-certificate``.
+
 ``--new-cluster-domain-secret`` generates a new, random cluster
 domain secret. ``--cluster-domain-secret`` reads the secret from a
 file. The cluster domain secret is used to sign information
diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
index 9ae83c21b568c2239c5bc982cf3d8ba2668c8f63..16bf89baf7522e4b0da5feb4b25c401f3b275596 100644
--- a/man/gnt-instance.rst
+++ b/man/gnt-instance.rst
@@ -353,6 +353,12 @@ spice\_playback\_compression
 
     Configures whether SPICE should compress audio streams or not.
 
+spice\_use\_tls
+    Valid for the KVM hypervisor.
+
+    Specifies that the SPICE server must use TLS to encrypt all the
+    traffic with the client.
+
 acpi
     Valid for the Xen HVM and KVM hypervisors.